[nsp-sec] Strong Increase in port 1433/tcp

Smith, Donald Donald.Smith at qwest.com
Mon Mar 2 18:00:44 EST 2009 

77.87.97.8 is my top hitter.
I look at just his netflow and watched him hit 129.219.x.y where x and y appear to be pseudo-random not sequential scans.
Syns are all 48 byte. The ack's comming from 77.87.97.8 are in the  200-228 bytes (including ethernet header). I suspect the is an exploit given the fairly fixed size.


 

(coffee != sleep) & (!coffee == sleep)
Donald.Smith at qwest.com gcia   

> -----Original Message-----
> From: Yiming Gong [mailto:yiming.gong at xo.com] 
> Sent: Monday, March 02, 2009 3:19 PM
> To: Smith, Donald
> Cc: 'nsp-security at puck.nether.net'
> Subject: Re: [nsp-sec] Strong Increase in port 1433/tcp
> 
> for the past 48 hours, I got 10323 unique IPs scanning port 1434
> +---------------------+
> | count(distinct sip) |
> +---------------------+
> |               10323 |
> +---------------------+
> 1 row in set (6.83 sec)
> 
> and of them, only 64 of these unique IPs were using src port 
> 6000, here
> is the top 10 src ports ordered by the total number of distinct sip.
> 
> +-------+---------------------+
> | sport | count(distinct sip) |
> +-------+---------------------+
> | 6000  |                  64 |
> | 4103  |                  14 |
> | 3786  |                  13 |
> | 4421  |                  13 |
> | 3517  |                  12 |
> | 3848  |                  12 |
> | 4784  |                  12 |
> | 3541  |                  11 |
> | 3588  |                  11 |
> | 3604  |                  11 |
> +-------+---------------------+
> 10 rows in set (7.70 sec)
> 
> Regards!
> 
> Yiming
> 
> Smith, Donald wrote:
> > ----------- nsp-security Confidential --------
> > 
> > That should be sql not swl:)
> > And I think dasher is the constant since that has been 
> around a LONG time.
> > Can someone that saw this in their darknet validate that 
> the increase is caused by the non-6000-1433 traffic?
> > 
> > 
> > (coffee != sleep) & (!coffee == sleep)
> > Donald.Smith at qwest.com gcia   
> > 
> >> -----Original Message-----
> >> From: nsp-security-bounces at puck.nether.net 
> >> [mailto:nsp-security-bounces at puck.nether.net] On Behalf Of 
> >> Smith, Donald
> >> Sent: Monday, March 02, 2009 1:18 PM
> >> To: 'Klaus Moeller'; 'nsp-security at puck.nether.net'
> >> Subject: Re: [nsp-sec] Strong Increase in port 1433/tcp
> >>
> >> ----------- nsp-security Confidential --------
> >>
> >> Is ~1/2 of it all coming from or going to tcp port 6000?
> >>
> >>
> >> more /tmp/1433.03-02.ips | awk '{ if(($5==6000) || ($8==6000) 
> >> )print $8}' |wc -l                                            
> >>                          458159
> >> wc -l /tmp/1433.03-02.ips 
> >> 845859 
> >>
> >> Count source port:
> >> Sourced from 6000
> >> 442043 6000
> >> 19026 80
> >> 1784 443
> >>
> >> Destined to 6000
> >> 16116 6000
> >> 12539 80
> >> 1874 443
> >>  624 3759
> >>
> >> Mostly syn scanning.
> >>
> >> This shows 324 non syn packets sourced from 6000 destined to 1433.
> >>
> >> /tmp/1433.03-02.ips | awk '{ if(($5==6000) && ($10!=2) )print 
> >> $8}' | wc -l  
> >> 324
> >>
> >> So what are those? They are all resets.
> >> w32.dasher used 6000 as a source port and attempted to 
> >> exploit an microsoft swl server vulnerability.
> >>
> >> http://vil.mcafeesecurity.com/vil/content/v_137567.htm
> >>
> >> Note that your two pictures show a huge increase in source 
> >> ips not destination ips.
> >> The sans shows targets stayed about the same.
> >>
> >> So is this an outbreak of dasher or is dasher the old noise 
> >> and this is something new?
> >>
> >>
> >> (coffee != sleep) & (!coffee == sleep)
> >> Donald.Smith at qwest.com gcia   
> >>
> >>> -----Original Message-----
> >>> From: nsp-security-bounces at puck.nether.net 
> >>> [mailto:nsp-security-bounces at puck.nether.net] On Behalf Of 
> >>> Klaus Moeller
> >>> Sent: Monday, March 02, 2009 9:42 AM
> >>> To: nsp-security at puck.nether.net
> >>> Subject: [nsp-sec] Strong Increase in port 1433/tcp
> >>>
> >>> ----------- nsp-security Confidential --------
> >>>
> >>>
> >>
> >> _______________________________________________
> >> nsp-security mailing list
> >> nsp-security at puck.nether.net
> >> https://puck.nether.net/mailman/listinfo/nsp-security
> >>
> >> Please do not Forward, CC, or BCC this E-mail outside of the 
> >> nsp-security
> >> community. Confidentiality is essential for effective 
> >> Internet security counter-measures.
> >> _______________________________________________
> >>
> > 
> > 
> > _______________________________________________
> > nsp-security mailing list
> > nsp-security at puck.nether.net
> > https://puck.nether.net/mailman/listinfo/nsp-security
> > 
> > Please do not Forward, CC, or BCC this E-mail outside of 
> the nsp-security
> > community. Confidentiality is essential for effective 
> Internet security counter-measures.
> > _______________________________________________
> > 
> 
>

More information about the nsp-security mailing list